azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

import: ingested 160 files from C:\Users\howar\Clients

Browse Source 
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:

Clients (structured MSP docs under clients/<name>/docs/):
- anaise       (NEW)  - 13 files
- cascades-tucson     - 47 files merged (existing had only reports/)
- dataforth           - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa       (NEW)  - 22 files, multi-site (camden, river)
- kittle       (NEW)  - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template    - 13-file scaffold for new clients

MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/         - clean_printer_ports, win11_upgrade,
                       screenconnect-toolbox-commands

Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
  to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
  no other credentials found

Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
  (identical duplicates of msp-audit-scripts versions)

Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)

Session log: session-logs/2026-04-16-howard-client-docs-import.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Howard Enos
2026-04-16 19:43:58 -07:00
parent 251edef420
commit 121ba75fda
160 changed files with 16002 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
clients/cascades-tucson/docs/network/dhcp.md Normal file
View File

@@ -0,0 +1,84 @@
# DHCP Configuration
## DHCP Server
- Server: pfSense (pfsense.cascades.local)
- Server IP: 192.168.0.1
## Scopes
### LAN Scope
- Interface: LAN (192.168.0.0/22)
- Range: 192.168.2.2 - 192.168.3.254
- Enabled: Yes
- DHCP Option 43: Configured (UniFi controller discovery)
### INTERNAL (VLAN 20) Scope
- Interface: INTERNAL (10.0.20.0/24)
- Range: 10.0.20.50 - 10.0.20.239
- Enabled: Yes
- DNS Server: 192.168.0.1
### GUEST (VLAN 50) Scope — ADDED 2026-03-06
- Interface: GUEST (10.0.50.0/24)
- Range: 10.0.50.50 - 10.0.50.239
- Enabled: Yes
- DNS Server: 10.0.50.1
### 999GuruTestNet Scope
- Interface: 999GuruTestNet (10.0.99.0/28)
- Range: 10.0.99.2 - 10.0.99.14
- Enabled: Yes
- Domain: 99.cascades.local
- DNS Server: 10.0.99.1
### Room VLAN DHCP Scopes (All Rooms)
Every room VLAN has DHCP enabled with a consistent pattern:
- Subnet: /28 per room
- Range: x.x.x.2 - x.x.x.14 (13 usable IPs per room)
- DNS: Defaults to pfSense interface IP (gateway)
- No static mappings
~~**Known Issue:** Room218 DHCP scope~~ **FIXED 2026-03-07** — Range end changed from 10.2.18.2 to 10.2.18.14
## Migration Plan — DHCP Changes (Phase 1.2)
### ~~New: GUEST Scope~~ — DONE 2026-03-06
Guest DHCP scope created (see GUEST scope above).
### LAN Static Mappings (DHCP Reservations)
| Device | MAC | IP | Purpose |
|--------|-----|-----|---------|
| Front Desk Epson ET-5800 | dc:cd:2f:82:2b:7a | 192.168.2.147 | Printer |
| Business Office Canon MF455DW | 80:a5:89:f6:71:9b | 192.168.3.227 | Printer |
| Marketing Brother MFC-L8900CDW | — (not on network) | 192.168.2.21 | Printer |
| 206 Health Services Brother | 00:20:6b:b3:4a:55 | 192.168.1.138 | Printer |
| MemCare MedTech Brother | c8:a3:e8:a2:dd:93 | 192.168.2.53 | Printer — online, dual-connected (WiFi+ethernet, needs fix) |
| MemCare Director Canon MF451CDW | 20:0b:74:b2:29:08 | 192.168.3.52 | Printer |
| Kitchen printer | — (not on network) | 192.168.0.121 | Printer |
| Epson (USW Port 8) | dc:cd:2f:22:09:69 | 192.168.2.207 | Printer |
| Canon (USW Port 45) | 74:bf:c0:fd:7a:64 | 192.168.2.230 | Printer |
| Printer-80A423 (Lite 8 Port 2) | f8:25:51:80:a4:23 | 192.168.2.202 | Printer |
| CS-QB VM | 00:15:5d:02:3b:02 | 192.168.2.228 | VoIP server (Hyper-V) |
| MDIRECTOR-PC | 98:ee:cb:9d:8a:81 | 192.168.3.20 | MemCare Director staff PC |
### INTERNAL Static Mappings
| Device | MAC | IP |
|--------|-----|-----|
| SALES4-PC | — (not on network) | 10.0.20.203 |
| CRYSTAL-PC | f0:09:0d:0d:fc:a7 | 10.0.20.205 |
| ACCT2-PC | 98:8d:46:f1:2d:c2 | 10.0.20.209 |
| DESKTOP-KQSL232 | c8:ff:28:64:8a:9f | 10.0.20.227 |
| CHEF-PC | 98:ee:cb:9d:8a:84 | 10.0.20.232 |
| DESKTOP-H6QHRR7 | f0:09:0d:0d:fe:e9 | 10.0.20.235 |
### Fix: Room 218
Change DHCP range end from `10.2.18.2` to `10.2.18.14`.
See `migration/phase1-network.md` for full steps.
## DHCP Relay
- Not configured (pfSense serves DHCP directly on all interfaces)

135
clients/cascades-tucson/docs/network/dns.md Normal file
View File

@@ -0,0 +1,135 @@
# DNS Configuration
## Internal DNS Server (Unbound Resolver)
- Server: pfSense (pfsense.cascades.local)
- Server IP: 192.168.0.1
- DNSSEC: Enabled
- Prefetch: Enabled
- Active Interface: All
- Outgoing Interface: WAN
## DNS Forwarders (System DNS)
- Forwarder 1: 8.8.8.8 (Google)
- Forwarder 2: 1.1.1.1 (Cloudflare)
## Cache Settings
- Message Cache Size: 512
- Max TTL: 86400 (24 hours)
- Min TTL: 0
- Infra Host TTL: 900
- Infra Cache Hosts: 10000
## DHCP Integration
- Register DHCP leases in DNS: Yes
- Register DHCP static mappings: Yes
## Host Overrides
| Hostname | Domain | IP Address | Aliases |
|-------------|-----------------|----------------|---------------------------|
| cascadesds | cascades.local | 192.168.0.120 | synology.cascades.local |
## Windows DNS Server (AD-Integrated)
- Server: CS-SERVER (192.168.2.254)
- Required for: Active Directory domain resolution, SRV records, Kerberos, LDAP
### DNS Zones
| Zone | Type | AD-Integrated | Auto-Created | Notes |
|------|------|---------------|-------------|-------|
| cascades.local | Primary | Yes | No | Main AD zone |
| _msdcs.cascades.local | Primary | Yes | No | AD metadata zone |
| 0.in-addr.arpa | Primary | No | Yes | Auto-created reverse |
| 127.in-addr.arpa | Primary | No | Yes | Auto-created reverse |
| 255.in-addr.arpa | Primary | No | Yes | Auto-created reverse |
| TrustAnchors | Primary | Yes | No | DNSSEC trust anchors |
**NOTE: No real reverse lookup zones exist** for any production subnet (192.168.0.0/22, 10.0.20.0/24, room VLANs). Only auto-created placeholder zones.
### Key DNS Records (cascades.local zone)
| Hostname | Type | IP / Data | Timestamp | Notes |
|----------|------|-----------|-----------|-------|
| @ (cascades.local) | A | 192.168.0.5 | 3/25/2025 | **STALE — not current DC IP** |
| @ (cascades.local) | A | 192.168.2.59 | 9/22/2024 | **STALE — not current DC IP** |
| cs-server | A | 192.168.2.254 | Static | Correct DC record |
| ACCT2-PC | A | 10.0.20.209 | 3/2/2026 | Current |
| CRYSTAL-PC | A | 192.168.5.115 | 3/27/2025 | **STALE — should be 10.0.20.205** |
| CS-QB | A | 192.168.5.29 | 3/27/2025 | **STALE — should be 192.168.2.228** |
| DESKTOP-1ISF081 | A | 192.168.5.30 | 3/27/2025 | **192.168.5.x not a documented subnet** |
| DESKTOP-H6QHRR7 | A | 10.0.20.235 | 3/2/2026 | Current |
| Cascades-Probe | A | 192.168.3.155 | 4/23/2025 | Monitoring probe? |
| Probe | A | 192.168.5.160 | 3/14/2025 | Monitoring probe? |
| DomainDnsZones | A | 192.168.0.5 | 3/25/2025 | **STALE** |
| DomainDnsZones | A | 192.168.2.59 | 9/22/2024 | **STALE** |
| ForestDnsZones | A | 192.168.0.5 | 3/25/2025 | **STALE** |
| ForestDnsZones | A | 192.168.2.59 | 9/22/2024 | **STALE** |
### AD SRV Records (all point to cs-server.cascades.local)
- _gc._tcp (Global Catalog, port 3268)
- _kerberos._tcp (Kerberos, port 88)
- _kpasswd._tcp (Kerberos password, port 464)
- _ldap._tcp (LDAP, port 389)
- All registered 8/28/2024 — normal for single-DC environment
### DNS Issues — Status
1. ~~**Stale @ records**~~**FIXED 2026-03-06.** Removed old 192.168.0.5 and 192.168.2.59. Added correct 192.168.2.254.
2. ~~**Stale computer records**~~**FIXED 2026-03-06.** Removed CRYSTAL-PC (192.168.5.115), CS-QB (192.168.5.29), DESKTOP-1ISF081 (192.168.5.30).
3. ~~**No reverse lookup zones**~~**FIXED 2026-03-06.** Created 5 reverse zones covering LAN /22 and INTERNAL.
4. ~~**DomainDnsZones/ForestDnsZones stale**~~**FIXED 2026-03-06.** Removed old IPs, added 192.168.2.254.
## DNS Architecture (pfSense + Windows DNS)
- **pfSense Unbound** (192.168.0.1): Primary DNS resolver for all clients. Forwards external queries to 8.8.8.8 / 1.1.1.1. Registers DHCP leases.
- **Windows DNS** (192.168.2.254): Authoritative for cascades.local zone. Required for AD SRV records, Kerberos, LDAP lookups.
- **Forwarding relationship:** Needs verification — pfSense should forward cascades.local queries to 192.168.2.254, and Windows DNS should forward external queries to pfSense or directly to internet resolvers.
- Domain-joined PCs likely use 192.168.2.254 as DNS (per server's own config) or 192.168.0.1 (per DHCP).
## Migration Plan — DNS Changes (Phase 1.4 + 2.1)
See `migration/phase2-server-prep.md` and `migration/scripts/phase2-dns-cleanup.ps1`.
### pfSense Domain Overrides (Phase 1.4) — DONE 2026-03-06
| Domain | Forward to | Purpose | Status |
|--------|-----------|---------|--------|
| `cascades.local` | 192.168.2.254 | AD domain resolution | ✅ Added |
| `_msdcs.cascades.local` | 192.168.2.254 | AD metadata zone | ✅ Added |
### CS-SERVER DNS Client Fix (Phase 1.4) — DONE 2026-03-06
~~CS-SERVER used pfSense (192.168.0.1) + 8.8.8.8 as DNS.~~ Fixed: now uses `127.0.0.1, 192.168.0.1`. Verified — both `cs-server.cascades.local` and `google.com` resolve correctly through localhost.
### CS-SERVER Forwarder Fix (Phase 1.4)
Set Windows DNS forwarder to `192.168.0.1` (pfSense) for external resolution. **TODO: Verify this is set.**
### Stale Record Cleanup (Phase 2.1) — DONE 2026-03-06
All stale records removed and correct records added:
- ~~cascades.local @ → 192.168.0.5, 192.168.2.59~~ Removed. Added correct: @ → 192.168.2.254
- ~~CRYSTAL-PC → 192.168.5.115~~ Removed (will re-register correct IP via DHCP)
- ~~CS-QB → 192.168.5.29~~ Removed (will re-register correct IP via DHCP)
- ~~DESKTOP-1ISF081 → 192.168.5.30~~ Removed
- ~~DomainDnsZones → 192.168.0.5, 192.168.2.59~~ Removed. Added correct: → 192.168.2.254
- ~~ForestDnsZones → 192.168.0.5, 192.168.2.59~~ Removed. Added correct: → 192.168.2.254
### Enable Scavenging (Phase 2.1) — DONE 2026-03-06
- Server-level scavenging: enabled, 7-day interval ✅
- Zone aging on cascades.local: enabled ✅
- First scavenge available: 3/13/2026 (14-day aging window from enable date)
### Create Reverse Lookup Zones (Phase 2.1) — DONE 2026-03-06
All 5 reverse zones created (AD-integrated, Domain replication scope):
- 0.168.192.in-addr.arpa ✅
- 1.168.192.in-addr.arpa ✅
- 2.168.192.in-addr.arpa ✅
- 3.168.192.in-addr.arpa ✅
- 20.0.10.in-addr.arpa ✅
## External DNS
- Not documented yet (registrar, hosted DNS, etc.)
## Notes
- pfSense Unbound serves as the DNS resolver for all VLANs
- Room VLANs use their gateway (pfSense interface IP) as DNS server
- INTERNAL VLAN uses 192.168.0.1 explicitly as DNS
- 999GuruTestNet uses 10.0.99.1 as DNS

279
clients/cascades-tucson/docs/network/firewall.md Normal file
View File

@@ -0,0 +1,279 @@
# Firewall Configuration
## Device Info
- Vendor/Model: Netgate pfSense
- Firmware Version: 24.0
- Hostname: pfsense.cascades.local
- Management IP: 192.168.0.1 (LAN), 184.191.143.62 (WAN)
- Management URL: https://192.168.0.1
- HA Pair: No
- SSH: Enabled
- Timezone: America/Phoenix
- System DNS: 8.8.8.8, 1.1.1.1
- Crypto Hardware: AES-NI + Cryptodev
- NIC Driver: igc (Intel i225/i226 series)
## Physical Interfaces
| Interface | NIC | Zone/Name | IP Address | Subnet | Notes |
|-----------|--------|----------------|--------------------|--------|--------------------------------|
| igc0 | WAN | WAN | 184.191.143.62 | /30 | Primary Internet (static) |
| igc1 | LAN | LAN | 192.168.0.1 | /22 | Management / main LAN |
| igc1.20 | opt238 | INTERNAL | 10.0.20.1 | /24 | Infrastructure VLAN 20 |
| igc1.50 | GUEST | GUEST | 10.0.50.1 | /24 | Guest WiFi VLAN (added 2026-03-06) |
| igc1.999 | opt1 | 999GuruTestNet | 10.0.99.1 | /28 | Test/lab network |
| igc3 | opt240 | WANCOAX | DHCP | -- | Secondary WAN (coax backup) |
## Gateways
| Name | Interface | Address | Protocol | Notes |
|--------------|-----------|-----------------|----------|---------------------------|
| WANGW | wan | 184.191.143.61 | IPv4 | **DEFAULT GATEWAY** |
| WANCOAX_DHCP | opt240 | dynamic | IPv4 | Backup WAN, monitor 8.8.8.8 |
## Gateway Group: WAN_Group
- Members: WAN_DHCP (Tier 1) + WANCOAX_DHCP (Tier 1)
- Mode: Load-balance / failover
- Trigger: Download loss + latency
## Room VLAN Scheme
Each room gets its own VLAN and /28 subnet. Pattern: `10.[floor].[room_number].0/28`, gateway at `.1`.
### Floor 1 (VLANs 101-149)
| Room | VLAN | Subnet | Gateway |
|------|----------|--------------------|---------------|
| 101 | igc1.101 | 10.1.1.0/28 | 10.1.1.1 |
| 102 | igc1.102 | 10.1.2.0/28 | 10.1.2.1 |
| 103 | igc1.103 | 10.1.3.0/28 | 10.1.3.1 |
| 104 | igc1.104 | 10.1.4.0/28 | 10.1.4.1 |
| 105 | igc1.105 | 10.1.5.0/28 | 10.1.5.1 |
| 106 | igc1.106 | 10.1.6.0/28 | 10.1.6.1 |
| 107 | igc1.107 | 10.1.7.0/28 | 10.1.7.1 |
| 108 | igc1.108 | 10.1.8.0/28 | 10.1.8.1 |
| 109 | igc1.109 | 10.1.9.0/28 | 10.1.9.1 |
| 110 | igc1.110 | 10.1.10.0/28 | 10.1.10.1 |
| 111 | igc1.111 | 10.1.11.0/28 | 10.1.11.1 |
| 112 | igc1.112 | 10.1.12.0/28 | 10.1.12.1 |
| 115 | igc1.115 | 10.1.15.0/28 | 10.1.15.1 |
| 116 | igc1.116 | 10.1.16.0/28 | 10.1.16.1 |
| 117 | igc1.117 | 10.1.17.0/28 | 10.1.17.1 |
| 118 | igc1.118 | 10.1.18.0/28 | 10.1.18.1 |
| 119 | igc1.119 | 10.1.19.0/28 | 10.1.19.1 |
| 120 | igc1.120 | 10.1.20.0/28 | 10.1.20.1 |
| 121 | igc1.121 | 10.1.21.0/28 | 10.1.21.1 |
| 122 | igc1.122 | 10.1.22.0/28 | 10.1.22.1 |
| 123 | igc1.123 | 10.1.23.0/28 | 10.1.23.1 |
| 124 | igc1.124 | 10.1.24.0/28 | 10.1.24.1 |
| 125 | igc1.125 | 10.1.25.0/28 | 10.1.25.1 |
| 126 | igc1.126 | 10.1.26.0/28 | 10.1.26.1 |
| 127 | igc1.127 | 10.1.27.0/28 | 10.1.27.1 |
| 128 | igc1.128 | 10.1.28.0/28 | 10.1.28.1 |
| 129 | igc1.129 | 10.1.29.0/28 | 10.1.29.1 |
| 130 | igc1.130 | 10.1.30.0/28 | 10.1.30.1 |
| 131 | igc1.131 | 10.1.31.0/28 | 10.1.31.1 |
| 132 | igc1.132 | 10.1.32.0/28 | 10.1.32.1 |
| 133 | igc1.133 | 10.1.33.0/28 | 10.1.33.1 |
| 134 | igc1.134 | 10.1.34.0/28 | 10.1.34.1 |
| 135 | igc1.135 | 10.1.35.0/28 | 10.1.35.1 |
| 136 | igc1.136 | 10.1.36.0/28 | 10.1.36.1 |
| 137 | igc1.137 | 10.1.37.0/28 | 10.1.37.1 |
| 138 | igc1.138 | 10.1.38.0/28 | 10.1.38.1 |
| 140 | igc1.140 | 10.1.40.0/28 | 10.1.40.1 |
| 142 | igc1.142 | 10.1.42.0/28 | 10.1.42.1 |
| 143 | igc1.143 | 10.1.43.0/28 | 10.1.43.1 |
| 144 | igc1.144 | 10.1.44.0/28 | 10.1.44.1 |
| 145 | igc1.145 | 10.1.45.0/28 | 10.1.45.1 |
| 146 | igc1.146 | 10.1.46.0/28 | 10.1.46.1 |
| 147 | igc1.147 | 10.1.47.0/28 | 10.1.47.1 |
| 148 | igc1.148 | 10.1.48.0/28 | 10.1.48.1 |
| 149 | igc1.149 | 10.1.49.0/28 | 10.1.49.1 |
Missing rooms on Floor 1: 113, 114, 139, 141
### Floor 2 (VLANs 201-249)
Same pattern: `10.2.[room].0/28`
Rooms: 201-212, 215-238, 240-249
Missing: 213, 214, 239
### Floor 3 (VLANs 301-350)
Pattern: `10.3.[room].0/28`
Rooms: 301-312, 315-350
Missing: 313, 314
Note: Room339 interface exists but may NOT be enabled
### Floor 4 (VLANs 401-449)
Pattern: `10.4.[room].0/28`
Rooms: 401-412, 415-449
Missing: 413, 414
### Floor 5 (VLANs 501-522)
Pattern: `10.5.[room].0/28`
Rooms: 501-512, 514-522
Missing: 513
### Floor 6 (VLANs 603-631)
Pattern: `10.6.[room].0/28`
Rooms: 603-631
Missing: 601, 602
## Firewall Rules
### Floating Rules (apply to all/multiple interfaces)
| # | Action | Interface | Protocol | Source | Destination | Description |
|---|--------|----------------|-----------|---------------|-------------|----------------------------------|
| 1 | PASS | openvpn | IPv4 | any | any | OpenVPN pass-all |
| 2 | PASS | any | ICMP | any | any | Allow all ICMP |
| 3 | PASS | All_Networks | TCP/UDP | any | any:53 | All Networks DNS Allow |
| 4 | PASS | any | IPv4 | any | any | Allow all IPv4 (permissive) |
| 5 | BLOCK | wan | IPv4+IPv6 | NOT lanip | (self) | Block external access to firewall|
### WAN Rules
| # | Action | Protocol | Source | Destination | Port | Description |
|---|--------|----------|-----------------|-------------|------|--------------------------|
| 1 | PASS | UDP | any | wanip | 1194 | OpenVPN IT Staff |
| 2 | BLOCK | IPv4 | NOT All_Networks| (self) | any | Block ext access to FW |
### LAN Rules
| # | Action | Protocol | Source | Destination | Gateway | Description |
|---|--------|----------|-------------|-------------|-----------|--------------------------|
| 1 | PASS | IPv4 | INTERNAL net| LAN net | WAN_Group | INTERNAL to LAN via WAN_Group |
| 2 | PASS | IPv4 | LAN net | any | WAN_Group | Default LAN to any |
| 3 | PASS | IPv6 | LAN net | any | -- | Default LAN IPv6 to any |
### INTERNAL (VLAN 20) Rules
| # | Action | Protocol | Source | Destination | Description |
|---|--------|----------|---------------|-------------|--------------------------|
| 1 | PASS | IPv4 | INTERNAL net | LAN net | INTERNAL to LAN access |
### GUEST (VLAN 50) Rules — ADDED 2026-03-06
| # | Action | Protocol | Source | Destination | Description |
|---|--------|----------|--------|-------------|-------------|
| 1 | BLOCK | IPv4 | GUEST subnet | 192.168.0.0/22 | Block Guest to LAN |
| 2 | BLOCK | IPv4 | GUEST subnet | 10.0.0.0/8 | Block Guest to private 10.x |
| 3 | BLOCK | IPv4 | GUEST subnet | 172.16.0.0/12 | Block Guest to private 172.x |
| 4 | PASS | IPv4 | GUEST subnet | any | Guest internet access |
### Room130 Rules
| # | Action | Protocol | Notes |
|---|----------|----------|--------------------|
| 1 | PASS | TCP | **DISABLED** |
## NAT
- Port Forwards: None
- Outbound NAT: Automatic mode (480 auto-generated rules covering all subnets)
## VPN - OpenVPN Server
| Setting | Value |
|----------------------|------------------------------------|
| Description | IT Staff |
| Mode | TLS + User Auth (server_tls_user) |
| Auth Backend | Local Database |
| Protocol | UDP4 |
| Listen Port | 1194 |
| Interface | WAN |
| Tunnel Network | 192.168.10.0/28 |
| Pushed Local Network | 192.168.0.0/22 |
| Pushed DNS Server | 192.168.0.1 |
| CA | CascadesVPN 25 |
| Ciphers | AES-256-GCM, AES-128-GCM, CHACHA20-POLY1305 |
| DH Length | 2048 |
| Digest | SHA256 |
| Topology | Subnet |
| Client-to-Client | Yes |
| Compression | Not allowed |
| Keepalive | 10s / 60s timeout |
| Inactive Timeout | 300s |
## Interface Groups
| Group Name | Members | Purpose |
|-------------------|-----------------------------------------|----------------------------|
| ResidentsGroup | All room interfaces (opt2-opt237) | All resident room VLANs |
| All_Networks | LAN + opt1-opt238 | Every internal interface |
| Wan_Group_Inter | wan + opt240 | Both WAN interfaces |
## pfSense Users
| Username | Role | Group |
|-----------|---------|--------|
| admin | System Admin | admins |
| Howard | User | admins |
| sysadmin | User | admins |
| rturner | User | -- |
## Migration Plan — Firewall Changes (Phase 1.3)
See `migration/phase1-network.md` for full runbook.
### Aliases Created (on pfSense as of 2026-03-09)
| Alias | Type | Members | Status |
|-------|------|---------|--------|
| `Server_IPs` | Host(s) | 192.168.2.254 | **CREATED** |
| `NAS_IP` | Host(s) | 192.168.0.120 | **CREATED** |
**Deleted (not needed):** `Printer_IPs`, `AD_Ports`, `Print_Ports` — printers moving to INTERNAL VLAN (same subnet as PCs, no firewall rules needed between them). `RFC1918` not created — using built-in `_private4_` alias instead.
### Migration Approach (revised 2026-03-09)
Instead of building scoped INTERNAL→LAN rules for a transitional state, the plan is:
1. Move staff PCs to CSCNet WiFi (INTERNAL VLAN 20, 10.0.20.x)
2. Move printer switch ports to VLAN 20 — printers get new 10.0.20.x IPs
3. During migration, old permissive rules keep both networks talking freely
4. After all devices migrated: create scoped INTERNAL → server-only rules, then lock down
### Post-Migration INTERNAL Rules (to create after all devices on VLAN 20)
| # | Action | Protocol | Source | Destination | Dest Port | Description |
|---|--------|----------|--------|-------------|-----------|-------------|
| 1 | PASS | TCP/UDP | INTERNAL net | Server_IPs | 53,88,135,389,445,464,636,3268,3269,5985,9389 | AD/DNS/SMB to DC |
| 2 | PASS | TCP | INTERNAL net | Server_IPs | 3389 | RDP to server |
| 3 | PASS | TCP | INTERNAL net | NAS_IP | 445,5000,5001 | Synology access |
| 4 | PASS | ICMP | INTERNAL net | LAN net | any | Ping diagnostics |
| 5 | BLOCK | IPv4 | INTERNAL net | _private4_ | any | Block other private (LOG) |
| 6 | PASS | IPv4 | INTERNAL net | any | any | Internet access |
### New GUEST VLAN Rules (Phase 1.1)
| # | Action | Source | Destination | Description |
|---|--------|--------|-------------|-------------|
| 1 | BLOCK | GUEST net | 192.168.0.0/22 | Block Guest to LAN |
| 2 | BLOCK | GUEST net | 10.0.0.0/8 | Block Guest to private |
| 3 | BLOCK | GUEST net | 172.16.0.0/12 | Block Guest to private |
| 4 | PASS | GUEST net | any | Guest internet |
### Floating Rule #4 Change
Replace "PASS any/any on ANY interface" with:
- PASS | ResidentsGroup | IPv4 | any → ! _private4_ | "Rooms internet only"
**Rollback:** Re-enable old floating rule #4 (disable first, don't delete).
### Kitchen iPad Isolation (Phase 1.1b — after thermal printer inventory)
Kitchen iPads (9 units) are food-service only — NOT medical. Restrict to kitchen thermal printers only to prevent lateral movement into PHI networks.
| # | Action | Source | Dest | Description |
|---|--------|--------|------|-------------|
| 1 | BLOCK | Kitchen_iPads | Server_IPs | Block kitchen to servers |
| 2 | BLOCK | Kitchen_iPads | NAS_IP | Block kitchen to NAS |
| 3 | PASS | Kitchen_iPads | Kitchen_Printers | Allow kitchen to thermal printers |
| 4 | PASS | Kitchen_iPads | any (80,443) | Allow internet for app updates |
**Blocked on:** Kitchen thermal printer inventory (need IPs/MACs from onsite visit). Kitchen_iPads alias needs MAC addresses of all 9 iPads.
### CSC ENT → CSCNet Migration (LAN → INTERNAL coexistence)
Many staff machines are still on CSC ENT (native LAN, 192.168.0.0/22). During migration, devices on LAN must be able to reach devices on INTERNAL (10.0.20.0/24) by name and IP, and vice versa. The existing LAN rule "INTERNAL to LAN" handles INTERNAL→LAN. Need to verify LAN→INTERNAL routing works (LAN devices reaching 10.0.20.x). Once all devices are migrated to CSCNet/INTERNAL, CSC ENT SSID can be removed.
### Quick Fixes
- Delete Room 130 disabled rule
- Delete "INTERNAL net to LAN net PASS" from LAN rules
## Notes
- This is a large multi-tenant residential property (6 floors, ~236 rooms)
- Each room is isolated on its own /28 VLAN (14 usable IPs per room)
- Floating rule #4 passes ALL IPv4 on any interface - very permissive (to be replaced)
- No port forwards configured
- No IPsec VPN
- No static routes
- `RFC1918` alias was NOT created (documented in error). Using built-in `_private4_` alias instead.
- `Server_IPs` and `NAS_IP` aliases created 2026-03-09. `Printer_IPs`, `AD_Ports`, `Print_Ports` created then deleted — not needed since printers are moving to INTERNAL VLAN.
- Room339 may not be enabled (missing enable tag)
- ~~Room218 DHCP scope misconfigured~~ **FIXED 2026-03-07** — range end changed to 10.2.18.14

173
clients/cascades-tucson/docs/network/topology.md Normal file
View File

@@ -0,0 +1,173 @@
# Network Topology
## Internet Connections
### Primary WAN
- ISP: (not documented in config)
- Interface: igc0
- IP Address: 184.191.143.62/30
- Gateway: 184.191.143.61
- Type: Static
### Secondary WAN (WANCOAX)
- Interface: igc3
- IP Address: DHCP
- Type: Coax backup
- Monitor: 8.8.8.8
- Failover: Part of WAN_Group (Tier 1 with primary)
## Switches
### 1st Floor USW (Core)
- Model: UniFi USW (48-port PoE)
- MAC: 28:70:4e:dc:59:8d
- IP Address: 192.168.3.155
- Uplink: GbE
- Location: 1st Floor
- Clients: 10
- SFP+ 1: -> Switch 2nd Floor (192.168.2.193)
- SFP+ 4: -> Switch MemCare (192.168.2.215)
- Notable ports:
- Port 8: Epson printer (192.168.2.207)
- Port 36: USW-16-PoE VoIP switch
- Port 40: Synology NAS (192.168.0.120)
- Port 41: AP 103
- Port 45: Canon printer (192.168.2.230)
- Port 48: CS-QB (192.168.2.228)
### Switch 2nd Floor
- Model: USW-Pro-24-PoE (UniFi Gen 2, 10G, 400W) — **PENDING REPLACEMENT**
- Previous: UniFi 24-port PoE (MAC: 0c:ea:14:3b:a5:88)
- IP Address: 192.168.2.193
- Uplink: SFP+ (GbE) to 1st Floor USW
- UPS: CyberPower CP500PFCRM1U (500VA/300W, 1U rackmount)
- SFP 1: -> 3rd Floor switch
- SFP 2: -> 1st Floor USW (192.168.3.155)
### Switch 3rd Floor
- Model: USW-Pro-24-PoE (UniFi Gen 2, 10G, 400W) — **PENDING REPLACEMENT**
- Previous: UniFi 24-port PoE (same model as floors 2/4/old MemCare)
- Test unit: USW Pro Max 16 PoE (MAC: 28:70:4e:32:59:24, IP: 192.168.3.134) — to be removed
- IP Address: 192.168.3.134
- Uplink: SFP (GbE)
- UPS: CyberPower CP500PFCRM1U (500VA/300W, 1U rackmount)
- SFP+ 1: -> Switch 4th Floor
- SFP+ 2: -> Switch 2nd Floor
### Switch 4th Floor
- Model: USW-Pro-24-PoE (UniFi Gen 2, 10G, 400W) — **PENDING REPLACEMENT**
- Previous: UniFi 24-port PoE (MAC: 0c:ea:14:3b:a9:a2)
- IP Address: 192.168.3.65
- Uplink: SFP+ (GbE) to 3rd Floor switch
- UPS: CyberPower CP500PFCRM1U (500VA/300W, 1U rackmount)
- SFP 2: -> 3rd Floor switch
### Spare Switches (powered off)
- 3x UniFi 24-port PoE (original floor 2, 3, 4 switches)
- 1x USW Pro Max 16 PoE (3rd floor test unit, MAC: 28:70:4e:32:59:24)
- Status: Powered off, available as spares if needed
### Switch MemCare
- Model: USW-Pro-24-PoE (UniFi Gen 2, 10G, 400W) — **REPLACED 2026-04-07**
- Previous: UniFi 24-port PoE (MAC: 0c:ea:14:3b:b2:08)
- IP Address: 192.168.2.215
- Uplink: SFP+ (GbE) to 1st Floor USW
- Clients: 9
- UPS: CyberPower CP500PFCRM1U (500VA/300W, 1U rackmount)
- Notable: Serves memory care wing (5th/6th floor APs, dining, nurse station)
- Installed via UniFi Device Replacement — settings imported from old switch
### USW Lite 8 PoE
- Model: UniFi USW Lite 8 PoE
- MAC: f4:e2:c6:57:27:87
- IP Address: 192.168.3.214
- Location: MemCare/Kitchen area
- Port 1: Dining Room AP
- Port 2: Printer (192.168.2.202)
- Port 3: Kitchen AP
- Port 7: CHEF-PC (INTERNAL VLAN, 10.0.20.232)
- Port 8: Uplink to Switch MemCare
### USW-16-PoE (VoIP Switch)
- Model: UniFi USW-16-PoE
- MAC: d8:b3:70:21:94:5f
- IP Address: 192.168.3.223
- Location: 1st Floor (connected to Port 36 of 1st Floor USW)
- Clients: 9
- Ports 1-8: AudioCodes VoIP phones (ACL_xxxxx)
- Port 15: Uplink to 1st Floor USW
- Port 16: Vertical-Remote (192.168.2.180)
## Switch Interconnect Topology
```
1st Floor USW (Core - 48 port)
├── SFP+ 1 ──> Switch 2nd Floor (24 port)
│ ├── SFP 1 ──> 3rd Floor USW Pro Max 16 PoE
│ │ └── SFP+ 1 ──> Switch 4th Floor (24 port)
│ └── SFP 2 ──> 1st Floor USW (loop/redundancy)
├── SFP+ 4 ──> Switch MemCare (24 port)
│ └── Port 15 ──> USW Lite 8 PoE
└── Port 36 ──> USW-16-PoE (VoIP, 16 port)
```
## Wireless Access Points (82 total)
### AP Summary by Floor
| Floor | APs | Offline | Models | Notes |
|-------|-----|---------|--------|-------|
| 1 | 16 | 3 (108, 121, 128) | U6-Lite, U7 Pro | Includes Rec Room, Kitchen, Dining |
| 2 | 13 | 1 (204) | U6-Lite, U7 Pro | Includes 2nd Floor Atrium |
| 3 | 13 | 1 (335) | U6-Lite, U7 Pro, U6 Pro | Includes 3rd Floor Atrium |
| 4 | 10 | 3 (406, 441, 450, 4th Fl Atrium) | Various | |
| 5 | 2 | 0 | U6-Lite | 505, 517 |
| 6 | 3 | 0 | U6-Lite, U7 Pro | 608, 615, 622 |
| Common | 6 | 0 | Various | Dining, Kitchen, MemCare areas |
| Special | 1 | 0 | - | CC Bridge (mesh) |
### Offline APs (Needs Attention)
| AP Name | MAC | Last IP | Uplink | Notes |
|---------|-----|---------|--------|-------|
| 108 | 0c:ea:14:3e:55:c6 | 192.168.6.127 | Mesh | Wrong IP range (192.168.6.x) |
| 121 | 0c:ea:14:3e:5e:ae | 192.168.2.184 | Mesh | |
| 128 | 0c:ea:14:1b:2e:d1 | 192.168.2.95 | - | No uplink |
| 204 | 0c:ea:14:3e:5d:42 | 192.168.7.243 | - | Wrong IP range (192.168.7.x) |
| 335 | 0c:ea:14:3e:54:5a | 192.168.2.206 | - | |
| 406 | 0c:ea:14:36:aa:01 | 192.168.2.4 | - | |
| 441 | 0c:ea:14:3e:5e:32 | 192.168.2.200 | - | |
| 450 | 0c:ea:14:36:72:ad | 192.168.6.207 | - | Wrong IP range (192.168.6.x) |
| 4th Floor Atrium | 0c:ea:14:36:b3:61 | 192.168.3.28 | - | |
### Common Area APs
| AP Name | MAC | IP Address | Uplink | Clients | Location |
|---------|-----|-----------|--------|---------|----------|
| Dining Room | 0c:ea:14:36:85:89 | 192.168.2.177 | GbE | 26 | Main dining |
| Kitchen | 0c:ea:14:36:af:91 | 192.168.3.73 | GbE | 9 | Kitchen |
| Memcare Nurse Station | 0c:ea:14:3e:62:3a | 192.168.3.129 | GbE | 8 | MemCare wing |
| Memcare TV Room | 0c:ea:14:3e:56:16 | 192.168.2.14 | GbE | 7 | MemCare TV room |
| Memcare Piano | 0c:ea:14:3e:57:fe | 192.168.2.188 | GbE | 1 | MemCare piano area |
| CC Bridge | 0c:ea:14:36:13:45 | 192.168.2.237 | Mesh | 7 | Bridge/connector |
| 2nd Floor Atrium | 0c:ea:14:3e:58:5e | 192.168.3.215 | GbE | 18 | 2nd floor common |
| 3rd Floor Atrium | 0c:ea:14:3e:63:be | 192.168.3.138 | GbE | 8 | 3rd floor common |
## Key Infrastructure Devices
| Device | IP Address | MAC | Location | Notes |
|--------|-----------|-----|----------|-------|
| pfSense Firewall | 192.168.0.1 | 00:f1:f5:34:b3:4a | Server room | Primary gateway |
| CS-SERVER | 192.168.2.254 | 00:22:19:60:50:db | Server room | DC, Hyper-V host (Dell R610) |
| CS-SERVER iDRAC | 192.168.2.65 | 00:22:19:60:50:e3 | Server room | Dell out-of-band management |
| Synology NAS (cascadesds) | 192.168.0.120 | 00:11:32:a7:94:10 | 1st Floor USW Port 40 | synology.cascades.local |
| CS-QB (Hyper-V VM) | 192.168.2.228 | 00:15:5d:02:3b:02 | 1st Floor USW Port 48 | VoIP server |
| Vertical-Remote | 192.168.2.180 | e4:e7:49:52:3a:06 | USW-16-PoE Port 16 | VoIP management |
| NurseAssist | 192.168.3.254 | a8:6d:aa:51:d6:55 | — | Nurse call system? |
## VoIP Phones (AudioCodes)
All on USW-16-PoE, ports 1-8:
| Device | IP Address | Port |
|--------|-----------|------|
| ACL_14325765 | 192.168.3.1 | Port 1 |
| ACL_14827614 | 192.168.2.143 | Port 2 |
| ACL_14865060 | 192.168.3.185 | Port 3 |
| ACL_14761438 | 192.168.2.142 | Port 4 |
| ACL_14761360 | 192.168.2.29 | Port 5 |
| ACL_14761310 | 192.168.3.192 | Port 6 |
| ACL_14761385 | 192.168.3.174 | Port 7 |
| ACL_14761495 | 192.168.3.102 | Port 8 |

81
clients/cascades-tucson/docs/network/vlans.md Normal file
View File

@@ -0,0 +1,81 @@
# VLANs
## VLAN Summary
| VLAN ID | Name | Subnet | Gateway | Interface | Purpose |
|---------|----------------|------------------|---------------|-----------|----------------------------|
| Native | LAN | 192.168.0.0/22 | 192.168.0.1 | igc1 | Management / main LAN |
| 20 | INTERNAL | 10.0.20.0/24 | 10.0.20.1 | igc1.20 | Infrastructure devices |
| 999 | 999GuruTestNet | 10.0.99.0/28 | 10.0.99.1 | igc1.999 | Test/lab network |
## Room VLANs
Each room gets its own VLAN with a /28 subnet (14 usable IPs). All on igc1 trunk.
**Addressing Pattern:** `10.[floor].[room_number].0/28` with gateway at `.1`
### Floor 1 (44 rooms)
Rooms: 101-112, 115-138, 140, 142-149
Missing rooms (no VLAN): 113, 114, 139, 141
Example: Room 101 = VLAN 101, subnet 10.1.1.0/28, gateway 10.1.1.1
### Floor 2 (46 rooms)
Rooms: 201-212, 215-238, 240-249
Missing: 213, 214, 239
Example: Room 201 = VLAN 201, subnet 10.2.1.0/28, gateway 10.2.1.1
### Floor 3 (48 rooms)
Rooms: 301-312, 315-350
Missing: 313, 314
Note: Room339 may not be enabled
Example: Room 301 = VLAN 301, subnet 10.3.1.0/28, gateway 10.3.1.1
### Floor 4 (47 rooms)
Rooms: 401-412, 415-449
Missing: 413, 414
Example: Room 401 = VLAN 401, subnet 10.4.1.0/28, gateway 10.4.1.1
### Floor 5 (21 rooms)
Rooms: 501-512, 514-522
Missing: 513
Example: Room 501 = VLAN 501, subnet 10.5.1.0/28, gateway 10.5.1.1
### Floor 6 (29 rooms)
Rooms: 603-631
Missing: 601, 602
Example: Room 603 = VLAN 603, subnet 10.6.3.0/28, gateway 10.6.3.1
**Total room VLANs: ~236**
## Inter-VLAN Routing
- Performed by: pfSense (pfsense.cascades.local)
- All inter-VLAN routing handled by the firewall
## Interface Groups
| Group Name | Members | Purpose |
|-------------------|--------------------------------------|----------------------------|
| ResidentsGroup | All room interfaces (opt2-opt237) | All resident room VLANs |
| All_Networks | LAN + opt1-opt238 | Every internal interface |
| Wan_Group_Inter | wan + opt240 (WANCOAX) | Both WAN interfaces |
## Migration Plan — VLAN Changes (Phase 1.1)
### New: VLAN 50 — Guest WiFi
| VLAN ID | Name | Subnet | Gateway | Interface | Purpose |
|---------|------|--------|---------|-----------|---------|
| 50 | GUEST | 10.0.50.0/24 | 10.0.50.1 | igc1.50 | Isolated guest WiFi (internet only) |
- DHCP: 10.0.50.50 - 10.0.50.239, DNS 10.0.50.1
- Firewall: block all RFC1918, pass to internet only
- Guest SSID reassigned from Default LAN to this VLAN
- See `migration/phase1-network.md` for full setup
### Remove: VLAN 10 — CSC Internal Network
VLAN 10 "CSC Internal Network" in UniFi appears orphaned (pfSense uses VLAN 20 for INTERNAL). Verify unused and delete from UniFi.
## Notes
- Guest isolation: Each room is on its own /28, rooms cannot communicate with each other
- Floating firewall rule passes all IPv4 - rooms CAN reach the internet (to be replaced with scoped rules)
- DHCP range per room: x.x.x.2 through x.x.x.14 (13 addresses)

68
clients/cascades-tucson/docs/network/wifi.md Normal file
View File

@@ -0,0 +1,68 @@
# WiFi Configuration (UniFi)
## SSIDs (3)
| SSID | Network Assignment | AP Group | Bands | Security | Purpose |
|------|-------------------|----------|-------|----------|---------|
| **CSCNet** | 238 Networks (per-room VLANs) | All APs | 2.4 + 5 GHz | WPA2 | Primary SSID — residents + staff. VLAN assignment handled at UniFi controller level (per-AP network mapping), NOT via RADIUS/NPS. NPS on CS-SERVER has only default deny policies, no RADIUS clients, and no VLAN attributes configured. |
| **CSC ENT** | Native Network (Default LAN, 192.168.0.0/22) | All APs | 2.4 + 5 GHz | WPA2 | Legacy staff WiFi — many machines still on this SSID. Must keep functional (LAN access to servers/printers) until all devices migrate to CSCNet (INTERNAL VLAN). Remove after migration complete. |
| **Guest** | Guest (VLAN 50, 10.0.50.0/24) | All APs | 2.4 + 5 GHz | WPA2 | Guest WiFi — isolated from all internal networks (moved from Default LAN 2026-03-06) |
## UniFi Network Definitions
### Infrastructure Networks
| Network Name | VLAN ID | Gateway | Subnet | Notes |
|-------------|---------|---------|--------|-------|
| Default | 1 (native) | Third-party (pfSense) | 192.168.0.0/22 | Main LAN — servers, infra, APs |
| Guest | **50** | Third-party (pfSense) | 10.0.50.0/24 | Guest WiFi isolation (added 2026-03-06) |
| CSC Internal Network | **10** | Third-party (pfSense) | - | **Mismatch: pfSense has INTERNAL on VLAN 20, not 10** |
| Internal | **20** | Third-party (pfSense) | - | Staff VLAN (10.0.20.0/24) — matches pfSense |
| 999 - Test | 999 | Third-party (pfSense) | - | GuruTestNet |
### Room VLANs (238 total)
All room VLANs are defined in UniFi as "Third-party Gateway" networks. VLAN IDs match room numbers.
**Floor 1 (44):** 101-149 (missing: 113, 114, 139, 141)
**Floor 2 (46):** 201-249 (missing: 213, 214, 239)
**Floor 3 (48):** 301-350 (missing: 313, 314)
**Floor 4 (47):** 401-449 (missing: 413, 414)
**Floor 5 — MemCare (21):** 501-522 (missing: 513)
**Floor 6 — MemCare (29):** 603-631
## Issues
### ~~1. Guest WiFi on Native LAN — NO ISOLATION (High)~~ FIXED 2026-03-06
Guest SSID moved to VLAN 50 (10.0.50.0/24) with internet-only firewall rules. All RFC1918 ranges blocked. DHCP scope: 10.0.50.5010.0.50.239 (190 addresses). **Needs onsite testing to verify isolation.**
### 2. CSC Internal Network VLAN Mismatch (Medium)
UniFi defines "CSC Internal Network" as VLAN 10, but pfSense has the INTERNAL interface on VLAN 20 (igc1.20, 10.0.20.0/24). UniFi also has "Internal" on VLAN 20 (correct). The VLAN 10 network may be unused/orphaned, or it could cause tagging issues if any port or SSID references it.
**Fix:** Verify if VLAN 10 is used anywhere. If not, delete "CSC Internal Network" from UniFi to avoid confusion.
### 3. All SSIDs Use WPA2 Only (Low)
WPA3 is not enabled on any SSID. WPA2 is acceptable but WPA3-transitional mode would improve security for newer devices while maintaining compatibility.
### 4. Kitchen iPads Not Restricted (Medium — Security)
9 kitchen iPads are on INTERNAL VLAN (10.0.20.x) with full access to staff resources. They are food-service only (NOT medical) — used for taking orders and printing to kitchen thermal receipt printers. They should be restricted to kitchen printer access only to prevent lateral movement into PHI networks if a device is compromised.
**Fix:** Create firewall rules restricting kitchen iPad MACs to kitchen thermal printer IPs only. Block access to staff VLAN, servers, and Synology. Allow internet for app updates. See `security/hipaa.md`.
### 5. No Band Steering or Separate SSIDs (Low)
All SSIDs broadcast on both 2.4 and 5 GHz. Band steering should be enabled (if not already) to push capable devices to 5 GHz for better performance, especially in high-density areas like the Dining Room.
## Migration Plan — WiFi Changes (Phase 1.1)
### Guest SSID → VLAN 50
The Guest SSID will be reassigned from the Default (native LAN) network to a new Guest network on VLAN 50 (10.0.50.0/24). This isolates guest traffic from all internal resources.
**UniFi changes:**
1. Create "Guest" network: VLAN 50, third-party gateway
2. Change Guest SSID network assignment: Default → Guest (VLAN 50)
**Note:** Guest WiFi will briefly disconnect during SSID reassignment.
### Delete CSC Internal Network (VLAN 10)
After verifying VLAN 10 is not referenced by any port profile or SSID, delete "CSC Internal Network" from UniFi to avoid confusion with the correct "Internal" network on VLAN 20.
See `migration/phase1-network.md` for full steps.